_ >   14 14     #set log(login_url) notice
  15 15     #set log(login_cookie) notice
  16 16     #set log(timeout) notice
< >     17     #set log(session_id) notice
17 18
< >   18       ad_proc -private log {kind msg} {
    19     ad_proc -private log {kind args} {
19 20         Helper proc for debugging security aspects.
  20 21         Uncomment some of the log(*) flags above to activate
  21 22         debugging and reload this file.
  22 23     } {
  23 24         set var ::security::log($kind)
  24 25         if {[info exists $var]} {
< >   25               ns_log [set $var] "$kind $msg"
    26             ns_log [set $var] "$kind [join $args { }]"
26 27         }
  27 28     }
  28 29 }
 
109 110     Reads the security cookies, setting fields in ad_conn accordingly.
  110 111
  111 112 } {
< >   112       ns_log debug "OACS= sec_handler: enter"
    113     ::security::log session_id "OACS= sec_handler: enter"
113 114
  114 115     if {[info exists ::security::log(login_cookie)]} {
  115 116         foreach c [list session_id secure_token user_login user_login_secure] {
 
242 243         set user_id 0
  243 244         set account_status closed
  244 245
< >     246         ::security::log session_id "sec_handler: session_id $session_id invalidated_p [sec_session_id_invalidated_p $session_id]"
    247
245 248         if {$login_level > 0 && [sec_session_id_invalidated_p $session_id]} {
  246 249             #
  247 250             # Check, if the session_id was invalidated (e.g. via
 
311 314             ::security::log login_cookie "Secure session checked: session_id = $session_id, session_user_id = $session_user_id, auth_level = $auth_level, user_id = $user_id"
  312 315         }
  313 316
< >     317         ::security::log session_id "sec_handler: setup ad_conn with session_id $session_id untrusted_user_id $session_user_id user_id $user_id auth_level $auth_level"
    318
314 319         # Setup ad_conn
  315 320         ad_conn -set session_id $session_id
  316 321         ad_conn -set untrusted_user_id $session_user_id
 
328 333         ::security::log timeout "SessionRefresh in [expr {($session_expr - [sec_session_renew]) - [ns_time]}] secs"
  329 334
  330 335         if {  $session_expr - [sec_session_renew] < [ns_time] } {
< >     336             ::security::log login_cookie "sec_handler: generate new session_id_cookie"
331 337             sec_generate_session_id_cookie
  332 338         }
  333 339     }
 
638 644 } {
  639 645     Logs the user out.
  640 646 } {
< >     647     ad_log notice "ad_user_logout user_id [ad_conn user_id]"
641 648
  642 649     set external_registry [sec_login_get_external_registry]
  643 650     if {$external_registry ne ""} {
 
898 905     and generates the cookies necessary for the session.
  899 906
  900 907 } {
< >   901       ns_log debug "OACS= sec_setup_session: enter"
    908     ::security::log session_id "OACS= sec_setup_session: enter"
902 909
  903 910     set session_id [ad_conn session_id]
  904 911
  905 912     # figure out the session id, if we don't already have it
  906 913     if { $session_id eq ""} {
  907 914
< >   908           ns_log debug "OACS= empty session_id"
    915         ::security::log session_id "OACS= empty session_id"
909 916
  910 917         set session_id [sec_allocate_session]
  911 918         # if we have a user on a newly allocated session, update
  912 919         # users table
  913 920
< >   914           ns_log debug "OACS= newly allocated session $session_id"
    921         ::security::log session_id "OACS= newly allocated session $session_id"
915 922
  916 923         if { $new_user_id != 0 } {
  917 924             ns_log debug "OACS= about to update user session info, user_id NONZERO"
 
947 954             # A change of user_id on an active session demands an
  948 955             # update of the users table.
  949 956             #
< >   950               ns_log debug "sec_update_user_session_info"
    957             ::security::log login_cookie "sec_update_user_session_info"
951 958             sec_update_user_session_info $new_user_id
  952 959         }
  953 960     }
 
968 975     ad_conn -set account_status $account_status
  969 976     ad_conn -set user_id $user_id
  970 977
< >   971       ns_log debug "OACS= about to generate session id cookie"
    978     ::security::log session_id "OACS= about to generate session id cookie"
972 979
  973 980     sec_generate_session_id_cookie -cookie_domain $cookie_domain
  974 981
< >   975       ns_log debug "OACS= done generating session id cookie"
    982     ::security::log session_id "OACS= done generating session id cookie"
976 983
  977 984     if { $auth_level eq "secure"
  978 985          && ([security::secure_conn_p] || [ad_conn behind_secure_proxy_p])
 
1084 1091
  1085 1092     if { ![info exists ::acs::sec_id_max_value] || ![info exists ::acs::sec_id_current_sequence_id]
  1086 1093          || $::acs::sec_id_current_sequence_id > $::acs::sec_id_max_value } {
< >     1094         ::security::log session_id "sec_allocate_session: info exists ::acs::sec_id_max_value [info exists ::acs::sec_id_max_value]" \
    1095             "info exists ::acs::sec_id_current_sequence_id [info exists ::acs::sec_id_current_sequence_id]"
1087 1096         # Thread just spawned or we exceeded preallocated count.
  1088 1097         set ::acs::sec_id_current_sequence_id [db_nextval sec_id_seq]
  1089 1098         db_release_unused_handles
 
1719 1728         set secret_token $secret
  1720 1729     }
  1721 1730
< >   1722       ns_log Debug "__ad_verify_signature: Getting token_id $token_id, value $secret_token ; "
  1723       ns_log Debug "__ad_verify_signature: Expire_Time is $expire_time (compare to [ns_time]), hash is $hash"
    1731     ns_log Debug "__ad_verify_signature: Getting token_id $token_id, value $secret_token"
    1732     ns_log Debug "__ad_verify_signature: Expire_Time is $expire_time (compare to [ns_time], diff [expr {[ns_time]-$expire_time}]), hash is $hash"
1724 1733
  1725 1734     if {$binding == -1} {
  1726 1735         set binding_value [ad_conn user_id]
 
1731 1740     }
  1732 1741
  1733 1742     #
< >   1734       # Compute hash based on tokes, expire_time and user_id/csrf token
    1743     # Compute hash based on token, expire_time and user_id/csrf token
1735 1744     #
< >     1745     ns_log Debug "__ad_verify_signature: compute hash based on $value/$token_id/$expire_time/$secret_token/$binding_value (binding $binding)"
1736 1746     set computed_hash [ns_sha1 "$value$token_id$expire_time$secret_token$binding_value"]
  1737 1747
  1738 1748     # Need to verify both hash and expiration
 
1747 1757         # Check to see if IE is lame (and buggy!) and is expanding \n to \r\n
  1748 1758         # See: http://rhea.redhat.com/bboard-archive/webdb/000bfF.html
  1749 1759         #
< >     1760         ns_log Debug "__ad_verify_signature: hashes differ '$computed_hash' vs '$hash'"
1750 1761         set value [string map [list \r ""] $value]
  1751 1762         set org_computed_hash $computed_hash
  1752 1763         set computed_hash [ns_sha1 "$value$token_id$expire_time$secret_token$binding_value"]
 
1772 1783     } else {
  1773 1784         ns_log Debug "__ad_verify_signature: Expiration time ($expire_time) less than or equal to current time ([ns_time]) - Expiration check FAILED"
  1774 1785     }
< >     1786     ns_log Debug "__ad_verify_signature: hash_ok '$hash_ok_p' expiration_ok_p '$expiration_ok_p'"
1775 1787
  1776 1788     # Return validation result
  1777 1789     return [expr {$hash_ok_p && $expiration_ok_p}]
< >   1778  
1779 1790 }
  1780 1791
  1781 1792 ad_proc -public ad_get_signed_cookie {
 
3616 3627         }
  3617 3628
  3618 3629         set token [token -tokenname $tokenname]
< >     3630
3619 3631         if {$oldToken ne $token} {
< >     3632             ::security::log session_id "CSRF old token <$oldToken> new token <$token> peeraddr [ad_conn peeraddr]"
3620 3633             fail
  3621 3634         }
  3622 3635     }
 
3640 3653             # Anonymous request, use a peer address as session_id
  3641 3654             #
  3642 3655             set session_id [ad_conn peeraddr]
< >     3656             ::security::log session_id "GET CSRF token: Anonymous request -> $session_id"
3643 3657         } else {
  3644 3658             #
  3645 3659             # User is logged-in, use a session token.
  3646 3660             #
  3647 3661             set session_id [ad_conn session_id]
< >     3662             ::security::log session_id "GET CSRF token: authenticated request -> $session_id"
3648 3663         }
  3649 3664         return $session_id
  3650 3665     }
 
3671 3686             set token [set $globalTokenName]
  3672 3687         } else {
  3673 3688             set secret [ns_config "ns/server/[ns_info server]/acs" parameterSecret ""]
< >     3689             ::security::log session_id "CSRF token: create token based on [session_id]"
    3690
3674 3691             if {[namespace which ::crypto::hmac] ne ""} {
  3675 3692                 set token [::crypto::hmac string $secret [session_id]]
  3676 3693             } else {
 
3702 3719 }
  3703 3720
  3704 3721 nsv_set validated_location http://localhost 1
< >     3722
< _   3705 3723 #
  3706 3724 # Local variables:
  3707 3725 #    mode: tcl